TR-31 - GHOST / CVE-2015-0235 - glibc vulnerability - gethostbyname() (associated function calls)

TR-31 - GHOST / CVE-2015-0235 - glibc vulnerability - gethostbyname() (associated function calls)

Back to Publications and Presentations

  1. Overview
  2. Vulnerable systems
  3. Non-vulnerable systems
  4. PHP
  5. Java
  6. Classification of this document
  7. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is FIRST member

Overview

GHOST / CVE-2015-0235 is a ‘buffer overflow’ vulnerability affecting the gethostbyname() function calls in the glibc library. An attacker could exploit this vulnerability to execute code on a remote host by supplying an invalid DNS response.

Vulnerable systems

If your glibc library is equal or below version 2.17, you are probably vulnerable to CVE-2015-0235.

Non-vulnerable systems

If your glibc library is equal or above version 2.18, you are not vulnerable to CVE-2015-0235.

PHP

PHP code relying on the native glibc gethostbyname() system call is vulnerable as mentioned by sucuri. We advise to review the code and ensure that the native glibc library and the PHP interpreter ispatched.

Java

If your code relies on the java_net_Inet4AddressImpl class (in JDK 7), it calls natively gethostbyname() (if compiled with GLIBC option which is the case for any standard GNU/Linux distribution).

JDK 7 - java.net.Inet4AddressImpl class

Java application which relies on the java.net.Inet4AddressImpl class with the associated methods relying on the gethostbyname() calls are vulnerable if the underlying operating system/glibc is not patched.

It’s also recommended to restart Java application after the glibc updates as the dynamic library might be cached by the JVM.

JK 8 (java_net_Inet4AddressImpl class), gethostbyname() was replaced by a patch in November 2011 by getaddrinfo() which is not vulnerable.

JDK 8 Update replacing gethostbyname() by getaddrinfo() JDK 8 - getaddrinfo() patch

So Java (JDK7 or JDK8 before November 2011) applications, checking records from non-trusted DNS records, are vulnerable to the GHOST vulnerability if the glibc is not patched or using an older glibc < 2.18).

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version